@@ -72,7 +72,7 @@ def authorize_show_relationship
7272 related_resource =
7373 case relationship
7474 when JSONAPI ::Relationship ::ToOne
75- parent_resource . public_send ( params [ :relationship_type ] . to_sym )
75+ resources_from_relationship ( source_klass , source_id , relationship . type , context ) . first
7676 when JSONAPI ::Relationship ::ToMany
7777 # Do nothing — already covered by policy scopes
7878 else
@@ -91,7 +91,7 @@ def authorize_show_related_resource
9191
9292 source_resource = source_klass . find_by_key ( source_id , context : context )
9393
94- related_resource = source_resource . public_send ( relationship_type )
94+ related_resource = resources_from_relationship ( source_klass , source_id , relationship_type , context ) . first
9595
9696 source_record = source_resource . _model
9797 related_record = related_resource . _model unless related_resource . nil?
@@ -282,6 +282,14 @@ def authorizer
282282 @authorizer ||= ::JSONAPI ::Authorization . configuration . authorizer . new ( context : context )
283283 end
284284
285+ def resources_from_relationship ( source_klass , source_id , relationship_type , context )
286+ rid = source_klass . find_related_fragments ( [ JSONAPI ::ResourceIdentity . new ( source_klass , source_id ) ] ,
287+ relationship_type ,
288+ context : context ) . keys . first
289+
290+ rid . resource_klass . find_to_populate_by_keys ( rid . id )
291+ end
292+
285293 # TODO: Communicate with upstream to fix this nasty hack
286294 def operation_resource_id
287295 case operation_type
0 commit comments